What’s been the shift from dedicated appliances, such as firewalls, to multifunction devices?

Firewalls were dominated by companies like Checkpoint, which basically sold software, and then that software was … stuck onto a server [to make an appliance]. That had a number of [problems] associated with it. … Also, networking folks like networking devices to solve networking problems, whereas software running on a server is not the preferred method of solving a networking problem—it’s for running applications, databases, etc.

So the move has been … to take networking functions and embed them into the network device where they belong. And the most successful thing—the NetScreen model—has been to take the software, put it on an embedded, hardened operating system, and then … accelerate the parts of it that go slow, [using] dedicated silicon, with specialized chips.

When did the shift to dedicated appliances begin?

It really started in the late ’90s—1996, 1997, 1998 saw the first successful products. And their growth has continued to be rapid, at the expense of the folks who sell software for the server. …

Also, what a [classic] firewall is aimed at stopping are connection-oriented attacks—the idea that I’m sitting at my keyboard pounding away and trying to go after you, using certain applications or resources, and it’s a one-to-one affair—me versus you, if you will. The way a stateful-inspection firewall worked was by looking at that and saying, “Why is he doing that?” and breaking the connection if necessary. … And still today, that does encompass a lot of attack activity—but what really affects organizations now are content-based attacks.

What’s a content-based attack?

Viruses, worms, Trojans, “grayware,” spyware, e-mail spam, even nasty Web sites can be thought of as potential ways to attack you. These are things that don’t care where you are, what geography you’re in. Everything is equal in the eyes of a worm.

The reason they’re called content threats is because you can’t tell, just by looking at the source of the information—it’s coming from an e-mail or Web server—whether it’s good or bad.

For example, you might send me an e-mail from your e-mail server, and it could be a perfectly good e-mail. The next could be malevolent. The nature of a content attack means you can’t just stop by looking at the outside of the envelope—who it’s coming from. You actually have to look at the inside, at packets, and it doesn’t really work to look at the individual packet. The only way to really detect sophisticated attacks is to take things apart, then glue them back together.

What are the technical challenges involved in that sort of packet analysis?

It can be a hundred to a thousand times more effort to do that kind of processing. So … if you want to do that level of content analysis in a network, you can’t do it using standard computational means. … Plus networking speed is always paramount. No one wants to do anything slow in a network.

So what we did was to come up with a new kind of architecture, a new type of platform, with a unique ASIC [application-specific integrated circuit] and silicon … to also be able to deal with content-based threats in the network, but without slowing down. We have a device that combines [such things as] a firewall with stateful inspection, VPN, intrusion prevention, antivirus, anti-worm and grayware detection, anti-spam, and Web content filtering, and all of that is delivered in a single box.

What are the potential cost savings from combining such functionality?

Sometimes, an 80 percent cost savings just from purchasing that equipment. Then my ongoing costs are dramatically lower, plus they’re easier to administer. Those are the very obvious benefits, and they’re very significant, and the big thing that’s been driving the move toward appliances.

The less obvious but increasing benefit of … integrated solutions like ours is the fact that you can actually deliver better levels of security, because the threats today are very complex … and the lines between spam, grayware, and worms are very [faint]. For example, some worms today help redirect mail relays to distribute spam. Yet tuning disparate systems to deal with all that is really beyond the capabilities of most network administrators. So there’s really no alternative to having an integrated set of security functions that operate all together. The alternative is almost like trying to drive your car with one hand on the carburetor.

What’s the typical rollout time for one of these appliances?

In a [recent review] comparing five or six different vendors, including us, that had firewall, antivirus, and intrusion detection and prevention, among other things, they said they had our box up and running in less than 20 minutes.

Beyond cost savings, are regulations a driver for using multifunction appliances?

Yes. There are a whole bunch of organizations that don’t know they’re subject to these regulations. Yet there are a whole bunch of regulations, particularly the Gramm-Leach-Bliley Act, plus Sarbanes-Oxley and HIPAA, that are putting a duty of due care—both to the protection of information in rest, and in transit.

For example, would you imagine a car dealership is subject to the Gramm-Leach-Bliley Act? Well, if they’re taking financial information or credit card transactions, leasing, then they are. And a lot of them don’t know it. … [Yet the law covers] really anything that’s identified as a “financial” institution, and that’s not just a bank. It’s really scary, because you can face fines of up to $11,000 per day for non-compliance.

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.